Social Sharing

CRA spends millions but fails to stop tax workers from snooping on Canadians, documents show

The Canada Revenue Agency has long had a problem with employees sneaking a peek at the tax files of friends and foes, and has spent some $10.5 million to try to stop it. But so far this year, at least nine workers managed to get around the safeguards, according to documents obtained by CBC News.

Deliberate snooping

Federal government departments are responsible for hundreds of significant privacy breaches each year, but most are inadvertent, such as mail sent with the wrong address or misplaced memory sticks.

Most cases at CRA, on the other hand, are the result of deliberate snooping by employees.

The agency has spent $10.5 million since 2013 to make its computers more secure against its own workers, and more money is earmarked for next year to comply with recommendations from the federal privacy office, including enhancing system controls so employees can only access information they need to do their jobs.

The agency reports that it has made several important improvements to its management of personal information.- Privacy Commissioner Daniel Therrien's 2016 report

Privacy Commissioner Daniel Therrien's latest annual report, delivered in September, said his office was assured that CRA has implemented almost all the safeguards recommended in the 2013 audit.

"The agency reports that it has made several important improvements to its management of personal information including introducing new policies, increasing corporate oversight and ensuring more timely assessment of privacy and security risks," he wrote.

CRA has been voluntarily reporting breaches since at least 2011. Since May 2014, federal government policy has required all departments and agencies to report material breaches to both the privacy commissioner and to the Treasury Board Secretariat.

The government defines "material" breaches as "those that involve sensitive personal information and could reasonably be expected to cause injury or harm to the individual."

Privacy Commissioner Daniel Therrien was told CRA has taken action to stop workers from improperly snooping on Canadians' confidential tax files, but new documents show the breaches have continued. (Adrian Wyld/Canadian Press)

The number of breaches rose from seven in 2011 to 30 in 2015, but experts say that's likely the result of greater vigilance in spotting rogue employees rather than more snooping. The total for 2016 is not yet available, but CRA says it's down from last year.

CRA manages one of the biggest confidential databases in Canada, and about two-thirds of some 40,000 workers have electronic access. The agency is the fourth worst offender for material privacy breaches among some 240 federal institutions that are subject to the Privacy Act, behind only Veterans Affairs Canada, Immigration, and Corrections Canada.

The agency typically notifies taxpayers whenever their information has been compromised, though this year's victims included several deceased Canadians.

CRA says it has fired eight of the nine workers caught so far this year.

"CRA systems are strong, tight controls are in place, and we continue to assess and improve our controls on an ongoing basis," spokeswoman Lisa Damien said in an email.

High-profile cases

CRA has seen at least three other high-profile privacy controversies in the past three years.

The so-called Heartbleed vulnerability in CRA's computers allowed a hacker to extract the social insurance numbers of some 900 Canadians in 2014.

A mailroom mix-up at CRA later that year sent a CD full of confidential taxpayer information to CBC News.

And earlier this year, a federal oversight body reported CRA had been turning over confidential taxpayer information to the Canadian Security Intelligence Service, even though the spy agency had not first secured the necessary court warrant.

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.